OSzone.net

OSzone.net (http://forum.oszone.net/index.php)
- (http://forum.oszone.net/forumdisplay.php?f=87)
- - (http://forum.oszone.net/showthread.php?t=230592)

ahejanin 17-03-2012 13:54 1881187

: 2
. ! ( ). " " HTML . . ? :

alex_sev 17-03-2012 15:18 1881219
, , .

( - ):

:
begin
ShowMessage('! AVZ .'+#13#10+' .');
ExecuteFile('net.exe', 'stop tcpip /y', 0, 15000, true);
SearchRootkit(true, true);
SetAVZGuardStatus(True);
QuarantineFile('C:\WINDOWS\system32\machineupdate32.exe','');
QuarantineFile('C:\WINDOWS\system32\srvhls.exe','');
QuarantineFile('C:\WINDOWS\system32\uqfjwue.dll','');
QuarantineFile('C:\WINDOWS\system32\7A.tmp','');
QuarantineFile('C:\Documents and Settings\Admin\Application Data\elro.exe','');
DeleteFile('C:\WINDOWS\system32\7A.tmp');
DeleteFile('C:\Documents and Settings\Admin\Application Data\elro.exe');
DeleteFile('C:\WINDOWS\system32\uqfjwue.dll');
DeleteFile('C:\WINDOWS\system32\srvhls.exe');
DeleteFile('C:\WINDOWS\system32\machineupdate32.exe');
DeleteFileMask('C:\Documents and Settings\Admin\Application Data\WxAVLTzeDNU2ubx', '*.*', true);
DeleteDirectory('C:\Documents and Settings\Admin\Application Data\WxAVLTzeDNU2ubx');
DeleteFileMask('C:\Documents and Settings\Admin\Application Data\hyFGUTXVnxhwsSj', '*.*', true);
DeleteDirectory('C:\Documents and Settings\Admin\Application Data\hyFGUTXVnxhwsSj');
RegKeyParamDel('HKEY_CURRENT_USER','Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run','Windows Debugger 32');
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
ExecuteWizard('SCU',2,3,true);
RebootWindows(true);
end.
, :
-

:
begin
CreateQurantineArchive(GetAVZDirectory+'quarantine.zip');
end.
AVZ : quarantine <at> safezone.cc ( <at> @) () . : virus .

HJT:

:
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,userinit.exe
O4 - HKCU\..\Policies\Explorer\Run: [Windows Debugger 32] C:\WINDOWS\system32\machineupdate32.exe
O20 - AppInit_DLLs: C:\WINDOWS\system32\uqfjwue.dll]
AVZ RSIT

Malwarebytes' Anti-Malware , , , "Perform Full Scan" (" "), "Scan" (""), - Ok - Show Results (" ") - .
MBAM , . MBAM.

ahejanin 19-03-2012 09:38 1882253
: 3
. :

alex_sev 19-03-2012 12:34 1882349
MBAM :

:
HKCR\CLSID\{82184935-B894-4AB2-8590-603BA7D74B71} (Trojan.WebMoner) -> .
HKCR\Sekrety_narodnyh_umelcev_2.eProtocol (Trojan.WebMoner) -> .
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2} (Trojan.BHO) -> .
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon|SysDebug32 (Trojan.Agent) -> : Ύ'}ep?,V>Fto,=!HhR7"V*t%*t%*t%*t%*t%*t%*t%*t%ޒ>{o,OJt5|r4BD?k%ד_y {*t%*t%*t%*t%*t%*t%*t%*t%U96e4jQy=VZ
*t%*t%*t%*t%*t%*t%*t%*t%*t%*t%*t%*t%*t%*t%*t%*t%*t%*t%*t%*t%*t%*t%*t%*t%*t%*t%*t%*t%*t%*t%*t%*t%*t%*t%*t%*t%*t%*t%*t%*t%*t%*t%*t%*t%*t%*t%*t%*t%*t%*t%*t%*t%*t%*t%*t%*t%*t%*t%*t%*t%*t%*t%*t%*t%*t%*t%*t%*t%*t%*t%o*ʕ -> .
C:\Documents and Settings\Admin\DoctorWeb\Quarantine\personal.finances.pro.v4.0.0.1169-ismail.exe (PUP.Hacktool.Patcher) -> .
C:\WINDOWS\inf\EAM\inst_lsass.exe (Trojan.Agent) -> .
C:\Documents and Settings\Admin\Application Data\igfxtray.dat (Malware.Trace) -> .
C:\WINDOWS\system32\ieunitdrf.inf (Malware.Trace) -> .
AVZ:

:
begin
ShowMessage('! AVZ .'+#13#10+' .');
ExecuteFile('net.exe', 'stop tcpip /y', 0, 15000, true);
SearchRootkit(true, true);
SetAVZGuardStatus(True);
DeleteFileMask('C:\Documents and Settings\Admin\Application Data\88B13F96', '*.*', true);
DeleteDirectory('C:\Documents and Settings\Admin\Application Data\88B13F96');
DeleteFileMask('C:\Documents and Settings\Admin\Application Data\7a6vHav3hoOyMZC', '*.*', true);
DeleteDirectory('C:\Documents and Settings\Admin\Application Data\7a6vHav3hoOyMZC');
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
ExecuteWizard('SCU',2,3,true);
RebootWindows(true);
end.
XueTr OSAM


: 18:41.

: 18:41.
OSzone.net 2001-